----- Original Message -----
From: "Hector Santos" <winserver(_dot_)support(_at_)winserver(_dot_)com>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Sunday, February 29, 2004 12:44 PM
Subject: Re: [spf-discuss] Re: Possible SPF machine-domain loophole???
Yesterday (Feb 25), we got 6 transactions which exploited the SPF
loophole. Here is a summary of the transaction logs:
Client IP: 206.66.146.23 (unknown)
13:23:51 C: EHLO santronics.com
13:23:51 C: MAIL FROM: <reynoldcgin(_at_)altavista(_dot_)com>
13:23:51 C: RCPT TO: <andrea(_dot_)santos(_at_)santronics(_dot_)com>
Again, bull. Your configuration is broken. Or you do not know how to
interpret the results of an SPF lookup. The above query clearly produces
a "fail" (see below). I ask that you please cease and desist this
nonsense.
Sorry, Mark. The only nonsense I see is your denial of a SPF loophole.
There is no loophole. What remains, however, is your failure to grasp how
SPF checks against the HELO string; moreover, your inability to grasp why an
invalid HELO string is irrelevant when SPF checks are done against it, using
the client IP address.
I have laid it out many times now. I see no point in explaining again what
you could easily solve by reading again.
It is obvious you can't see the problem.
I cannot see what is not there.
In fact, via direct email, Meng has acknowledged the "issue" and
is currently deciding on how to best address it.
I'm sure Meng acknowledged that no domain validity checks are done against
the HELO string. I very seriously, and openly, doubt, though, that you got a
private response from Meng in which he sees this as an SPF loophole.
- Mark
System Administrator Asarian-host.org
---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx